3 minute read
Data Governance
processed within Canada. Canadian domestic internet traffic should remain within Canada.
As data regulations, laws and infrastructure evolve, countries will need to balance their national security concerns with economic and political considerations. Ensuring sovereignty over data and key cyber-infrastructure is now increasingly critical to protecting citizens. Citizen data and sensitive corporate data are at the centre of a struggle between national security and economic growth.13 This is challenging because data must flow across borders as well as within them.
Data is now a form of capital. Accumulating and monetizing Canadian data is critical to future economic growth. To offer one compelling example, the genetic testing company 23andMe collects vast amounts of genetic data from ordinary Canadians through the use of home-based saliva collection kits. The company’s current market cap is $3.2 billion, with 2020 revenues at $475 million. Even as Canadian genomic data freely transits the Canadian border with little or no oversight, the decision to simply “give up” this data undermines Canadian sovereignty and future prosperity.
The asymmetry at play between large data platform companies and individual consumers means that ordinary Canadians are at a substantial disadvantage. Without public oversight, platform companies can act in ways that are harmful to Canada and Canadians. As Facebook whistle-blower Frances Haugen observed, “Until we bring in a counterweight, these [platforms] will be operated for the shareholders’ interest and not the public interest” (Haugen, quoted in Waterson and Milmo 2021).
13 Cross-border data transfers have been recently challenged between the European Union and the United States are proving to be a growing problem both for economic growth and security. The Court of Justice of the European Union (CJEU) issued a verdict on July 16, 2020, ruling that the EU-US Privacy Shield was invalid. This shield allowed companies to transfer data between the United States and the European Union; however, the CJEU invalidated it due to concerns around surveillance by the US government. This case is known as Schrems II (see https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II). Due to national security concerns, cross-border data flows are under heavy scrutiny. There is also concern that the ruling could put an excessive burden on companies with respect to managing the data of EU citizens when there are cross-border transfers required.
What we require today are governing systems that provide new data standards, new regulatory systems and a new legal infrastructure for guiding the evolution of data-driven technologies. Given Canada’s history, economy and values, it is clear that Canadian national security strategy should provide appropriate interoperability and governance standards to support a globally articulated data economy. This approach requires a national security strategy that supports collaboration across departments (i.e., ISED, Global Affairs Canada) and across domestic and international fronts on matters related to data and data-driven EDT. The public service will also require education in developing a uniquely Canadian model of data governance even as Canadian policy makers learn from other countries.
Data governance remains a daunting challenge. There are at least three broad models for data governance practised across the world’s largest economies today, in the European Union, China and the United States. Despite these varying approaches, many countries are now requiring that data on their citizens be stored or processed within their borders. This rapidly changing global regulatory landscape around data places a particular burden on industry. Chief information security officers and legal and compliance teams are now required to carry the weight of these global regulatory challenges, even as their businesses aim to capitalize on revenue from data.14
The European Union: Data for the Purpose of Citizen Advancement
In 2018, the European Union released a data sovereignty regulation known as the General Data Protection Regulation (GDPR), which has quickly become a global standard. The GDPR prioritizes data privacy and places EU citizens squarely in control of their own data. Ursula von der Leyen, president of the European Commission, has pledged
14 These teams must verify that data exists only where it is allowed as well as show the lineage of data. This task is already monumental, but coupled with digital transformation efforts to move data to the cloud, it becomes expensive as well. Until best practices are established or new tools made available, we can expect many industries to invest heavily in data protection and compliance.
